HIPAA Hosting — What You Need to Know
In the late 1990s, the US Congress passed a law called the Health Insurance Portability and Accountability Act (HIPAA) designed to protect individual health records. Regulations related to the law mandate how health records are stored, who can view them, and how they can be released.
Back when the law was implemented, most health records were paper-based. With advances in technology and storage capability, health records are being stored on digital media both online and offline. Even if you are not a health provider and deal with apps involving medical records, you must use procedures that are HIPAA compliant to safeguard patient data. Consequently, if you intend to design a website or app involving healthcare data, you must consider HIPAA based hosting solutions. Let's take a closer look at these solutions that will help make HIPAA compliance much easier.
Reasons for HIPAA Based Hosting
Whether or not you are a health provider, if you deal with medical records you must comply with HIPAA requirements to protect patient data. As more patient records become digitized and become available online, they are increasingly vulnerable to attacks.
One reason to consider HIPAA based hosting is to make compliance easier for websites or mobile applications. The regulations regarding the management of electronic records can be complex and difficult to implement. When you select a HIPAA based hosting provider, you free up valuable time and shift the burden of compliance to your host. Instead of spending time on HIPAA, your team can focus its time and resources developing a great website or app.
Using a HIPAA-based host also helps reduce or prevent liability. If your website or app is found not to follow regulations, your company is subject to government fines and at risk for lawsuits. The Department of Health and Human Services (HHS) starts enforcement proceedings when it receives a complaint and goes through a review and investigation process. Finally, the case will enter a resolution process where the company or hospital will be ordered to pay fines. In one case, HHS fined New York Presbyterian (PDF) over $3 million because search engines had access to electronic patient data as a result of server misconfiguration.
If you deal with patient data, using a HIPAA based host will help make your customers, healthcare providers, more confident using your service resulting in more sales. It will also help build your client's brand and trust among their customers.
Features of HIPAA Hosting
HIPAA plans are not much different than other hosting plans but include extra features such as data encryption, firewalls, managed hosting services, intrusion detection systems, and use of special security tools. You will still get the standard features of hosting plans available all over the web. Also, just like any other hosting plan, HIPAA hosting plans feature similar user interfaces for website administration such as cPanel or Plesk. Standard plans for HIPAA hosting that are available include cloud based plans, VPS, and dedicated server hosting.
Unlike other hosting plans, however, a web hosting company that is HIPAA compliant, would be independently and regularly audited. Many organizations go above and beyond HIPAA compliance and are certified as SOC 1, SOC 2, and SSAE compliant as well as being audited for HITECH compliance.
What's more, your HIPAA host must be extremely responsive. Though many hosting providers offer 24/7 support every day of the year, this is not sufficient. The HIPAA hosting provider you select should have guaranteed response times. They should report any security incidents including data breaches and hacking attempts in a timely fashion.
A HIPAA hosting company should have security features that involve multiple aspects which include restricting physical access to the data servers. This includes monitoring the actual physical location and only allowing authorized personnel access. Another must-have should be the use of encryption even though, according to HealthITSecurity, encryption is not required according to HIPAA. Finally, the hosting provider should make use of firewalls, intrusion detection and prevention systems, and have staff members that understand HIPAA.
At a minimum, your HIPAA hosting provider should be HIPAA certified. However, you should really consider a hosting company that goes above and beyond this with compliance and certifications in multiple areas including HITECH, SSAE, and SOC 1 and SOC 2 (PDF).
This is about liability; getting HIPAA hosting provides some amount of insurance. That doesn't mean that you don't still have to take great care with patient data. But having HIPAA hosting reduces your risk.
According to web hosting provider Online Tech, the HIPAA rule has been modified to classify any hosting entity dealing with patient health data as an associate. As a result, they will be subject to HIPAA-based requirements and thus be liable for patient data breaches. In fact, the law firm, Davis Wright Tremaine, encourages third-party vendors to take extra precautions with data providers.
HIPAA Hosting Isn't Cheap
Since HIPAA compliance requires extra security requirements and monitoring, these plans tend to be more expensive compared to a standard hosting plan. Prices vary depending on the type of plan but you can easily pay few hundred dollars a month for a plan. But, this is well worth the expense considering the fines and potential liabilities for non-compliance, in some cases totaling millions of dollars for breach of patient data.
When you need HIPAA hosting, you need to consider companies with specialized infrastructure and staff to take care of HIPAA compliance. Some of these companies include Liquid Web and Amazon Web Services. But check all the hosts listed at the top of this page.
Here's What Your HIPAA Hosting Needs To Offer
The Health Insurance Portability and Accountability Act (HIPAA) is designed to keep people's medical records private. And for people who deal with medical records, it is very important. So you must find a host that specializes in all the details that HIPPA requires. Otherwise, you could get into legal trouble and it could cost you a lot of money. For HIPAA hosting, we recommend LiquidWeb.
Find The Best HIPAA Hosting For You
HIPAA Hosting Frequently Asked Questions
What is HIPAA?
HIPAA or the Health Insurance Portability and Accountability Act is a law established by the US government to protect individual health records from falling into the wrong hands.
The regulations related to HIPAA ultimately decide how health records are stored, who has access, and how they can be disseminated.
Does HIPAA apply to electronic records?
Though HIPAA was created when paper records were the norm, the act still applies to electronic records. This includes hosting services, storage services, and even computer or mobile phone applications.
How are HIPAA regulations enforced?
HIPAA regulations are enforced through Health and Human Services which begins enforcement and thorough investigation once the department receives a complaint.
How do I know if I need HIPAA hosting?
Since this is a legal matter, make sure to consult a legal professional for more information.
However, if you are developing a medical application on any platform that accesses patient data over the web or needs to store patient data on servers accessible from the internet, you need HIPAA based hosting.
What are the consequences of failing to meet regulations?
Companies that fail to meet HIPAA regulations are not only subject to fines from the government, they can also be subject to lawsuits. In one case, a hospital got fined millions of dollars as a result of breach of patient data.
So, for your hosting needs, it is very important to choose a well-reputed HIPAA host especially for applications that deal with patient data.
What are some advantages to using a HIPAA based host?
Having a HIPAA host will not only save you time but also money in terms of implementing a solution that is compliant with HIPAA and taking steps to safeguard patient data.
Using a HIPAA host allows you to outsource these tasks and focus your efforts on application development instead of compliance. It also reduces your legal risk and helps you build trust with clients in the medical community.
Is HIPAA-based hosting expensive?
Since web hosts that specialize in HIPAA need to take extra steps in safeguarding data, meeting regulations, and undergoing audits, the plans provided by these hosts tend to be more expensive than standard hosting plans.
In general, plans can cost hundreds of dollars a month. But, it is worth the cost especially considering legal liabilities when patient data is breached.
What types of certifications should a HIPAA based hosting company have?
Since HIPAA just covers the basics in terms of data protection, many hosting companies go above and beyond being HIPAA certified.
Other certifications a host may have include SOC 1, SOC 2, SSAE, and HITECH. As time goes by, newer certifications may be added as a result of developments in the security industry.
How do I know if my host is really HIPAA compliant?
Most hosting companies cannot just say they are HIPAA compliant since they would incur a huge legal liability. However, you should look for a host that uses HIPAA compliant datacenters.
In fact, according to Mike Klein, the hosting company's datacenter or the company itself should be able to provide a HROC or HIPAA Report on Compliance to you outright or under an NDA (non-disclosure agreement).
What extra features does a HIPAA-based hosting company have?
HIPAA-based hosting companies have all the features a standard hosting plans has plus additional security features.
These features include intrusion detection, intrusion prevention, firewalls, data encryption, and managed hosting as well as the use of special security tools.
What type of support should I get from a HIPAA hosting company?
Your HIPAA hosting provider should not just offer 24/7 support.
They should have guaranteed response times and provide multiple avenues of support including phone, live chat, support tickets, and email. The host should also report all security incidents immediately.
Whether or not your host provides this information, consider speaking to company personnel about support options before purchasing a hosting plan.
What are some qualities that a HIPAA host's staffing should have?
When looking for a HIPAA hosting company, you should take a serious look at the employees who work there.
Find out if the company performs background checks on employees, the types of background checks, and whether or not there are employees who actually understand and have worked with HIPAA.